The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM.

AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for applications and data subject to rigorous contractual or regulatory requirements for managing cryptographic keys, additional protection is sometimes necessary. Until now, your only option was to store the sensitive data (or the encryption keys protecting the sensitive data) in your on-premises datacenters. Unfortunately, this either prevented you from migrating these applications to the cloud or significantly slowed their performance. The AWS CloudHSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. AWS CloudHSM helps you comply with strict key management requirements without sacrificing application performance.

As part of the service, you have dedicated access to HSM capabilities in the cloud. AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules. You retain full control of your keys and cryptographic operations on the HSM, while Amazon manages and maintains the hardware without having access to your keys.

By protecting your keys in hardware and preventing them from being accessed by third parties, AWS CloudHSM can help you comply with the most stringent regulatory and contractual requirements for key protection.

AWS CloudHSM is available in multiple Regions and Availability Zones (AZs) to help you build highly available applications that require strong key protection. The CloudHSM Command Line Interface (CLI) Tools can help can help you configure high availability (HA) groups that span multiple availability zones, so you can build resilient applications. In the unlikely event of a hardware failure, you can launch a new CloudHSM instance and replicate the keys to the new HSM with a few commands. You can also use AWS CloudHSM with your compatible on-premises HSMs to securely store keys in your datacenter. This increases key durability and gives you the flexibility to securely migrate keys in and out of AWS.

You can use CloudHSM with Amazon Redshift, Amazon Relational Database Service (RDS) Oracle, or third party applications such as SafeNet ProtectV volume encryption for EBS, Apache (SSL termination), or Microsoft SQL Server (transparent data encryption). You can also use CloudHSM when writing your own applications and continue to use the standard cryptographic libraries you’re familiar with, including PKCS#11, Java JCA/JCE, and Microsoft CAPI and CNG.

If you need to track resource changes, or audit activities for security and compliance purposes, you can review all of the CloudHSM API calls made from your account through CloudTrail. Additionally, you can audit operations on the HSM appliance using syslog or send syslog log messages to your own collector.